Bug 1156378

Summary: SELinux denies package install for rolekit
Product: [Fedora] Fedora Reporter: Stephen Gallagher <sgallagh>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 21CC: awilliam, dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, sgallagh, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-91.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-31 07:40:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043124    

Description Stephen Gallagher 2014-10-24 10:52:29 UTC 
Description of problem:
rolekit (actually roled) forks and exec()s 'yum install' to ensure that all of the packages it needs for a role deployment are in place.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-90.fc21.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install a completely pristine Fedora Server 21 Beta system with all defaults.
2. run 'rolectl deploy --settings-file=/root/settings.json domaincontroller' with an appropriate settings.json (see https://fedorahosted.org/rolekit/wiki/DomainController)

Actual results:
The deployment fails during package installation, throwing script errors in the logs.

Expected results:
The deployment should succeed.

Additional info:

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing yum from using the transition access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that yum should be allowed transition access on processes labeled rpm_script_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:rolekit_t:s0
Target Context                system_u:system_r:rpm_script_t:s0
Target Objects                /usr/bin/bash [ process ]
Source                        yum
Source Path                   yum
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           bash-4.3.30-2.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-90.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     freeipa.rc1.beta.validation
Platform                      Linux freeipa.rc1.beta.validation
                              3.17.1-302.fc21.x86_64 #1 SMP Fri Oct 17 20:05:46
                              UTC 2014 x86_64 x86_64
Alert Count                   70
First Seen                    2014-10-24 06:29:11 EDT
Last Seen                     2014-10-24 06:30:51 EDT
Local ID                      74efb75d-0eeb-4ac6-917f-3319c5955648

Raw Audit Messages
type=AVC msg=audit(1414146651.343:464): avc:  denied  { transition } for  pid=1213 comm="yum" path="/usr/bin/bash" dev="dm-0" ino=267821 scontext=system_u:system_r:rolekit_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0


Hash: yum,rolekit_t,rpm_script_t,process,transition
Comment 1 Fedora Blocker Bugs Application 2014-10-24 10:55:04 UTC 
Proposed as a Blocker for 21-beta by Fedora user sgallagh using the blocker tracking app because:

 "Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode." and "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."
Comment 2 Adam Williamson 2014-10-24 11:00:23 UTC 
in case I don't wake up in time for the meeting tomorrow, I'm +1 blocker.
Comment 3 Miroslav Grepl 2014-10-24 13:49:52 UTC 
We need to add

optional_policy(`
    rpm_transition_script(rolekit_t, system_r)
')
Comment 4 Miroslav Grepl 2014-10-24 13:50:42 UTC 
commit cf74a399b86a6244a4927446a72aad7f955db03d
Author: Miroslav Grepl <mgrepl>
Date:   Fri Oct 24 15:50:24 2014 +0200

    Allow rolekit transition to rpm_script_t.
Comment 5 Adam Williamson 2014-10-24 17:46:30 UTC 
Discussed at 2014-10-24 Go/No-Go meeting: http://meetbot.fedoraproject.org/fedora-meeting-2/2014-10-24/f21_beta_gono-go_meeting.2014-10-24-17.01.log.txt . Accepted as a blocker per criterion cited in c#1.
Comment 6 Adam Williamson 2014-10-27 18:13:34 UTC 
sgallagh reports that the -91 build resolves the issue, so setting  VERIFIED for blocker tracking purposes. We need an update submitted with that build in it.
Comment 7 Lukas Vrabec 2014-10-29 10:30:23 UTC 
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-92.fc21?_csrf_token=eac04ed70627cfb42637cbabfc3629c7a1036ba9

build added to updates.
Comment 8 Adam Williamson 2014-10-30 19:12:34 UTC 
Lukas, for future reference, we really need you to submit the *exact build that was pulled through the freeze*, not a later one. It's usually not critical for Beta, but it absolutely is for Final, because the frozen tree *has* to match what's on the ISOs.
Comment 9 Adam Williamson 2014-10-31 07:40:56 UTC 
Actually it turns out it is critical for Beta, as we wanted to provide a frozen Beta tree for secondary arches to base their Beta build on.

dgilmore has tagged -91 for stable manually, so this should be OK now, but we really need to have the correct build submitted to Bodhi in future, thanks.
Comment 10 Lukas Vrabec 2014-11-03 09:41:05 UTC 
Adam, 
Sorry, my mistake, I'll avoid this.